[Freeipa-users] Unable to establish trust with FreeIPA and Active Directory

Fri Apr 4 15:42:07 UTC 2014

On Fri, 04 Apr 2014, Redmond, Stacy wrote:
>We will be using unix as the Kerberos realm and unix.sbx.local as the
>domain so we can use srv records for the unix hosts to point at ipa.
>The AD domain is sbx.local, here is the output using the AD domain
>
>[root at linuxtest1 ~]# ipa trust-add --type=ad sbx.local --admin
>Administrator --password
>Active directory domain administrator's password:
>ipa: ERROR: Cannot find specified domain or server name
>[root at linuxtest1 ~]# cat /var/log/httpd/error_log
>lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>params.c:pm_process() - Processing configuration file
>"/usr/share/ipa/smb.conf.empty"
>Processing section "[global]"
>INFO: Current debug levels:
>  all: 100
>  tdb: 100
>  printdrivers: 100
>  lanman: 100
>  smb: 100
>  rpc_parse: 100
>  rpc_srv: 100
>  rpc_cli: 100
>  passdb: 100
>  sam: 100
>  auth: 100
>  winbind: 100
>  vfs: 100
>  idmap: 100
>  quota: 100
>  acls: 100
>  locking: 100
>  msdfs: 100
>  dmapi: 100
>  registry: 100
>pm_process() returned Yes
>Using binding ncacn_np:linuxtest1.unix.sbx.local[,]
^^ talking to IPA host's smbd process.

>tevent: Added timed event "dcerpc_connect_timeout_handler":
>0x7facb82e9d30
>tevent: Added timed event "composite_trigger": 0x7facb80a8de0
>tevent: Added timed event "composite_trigger": 0x7facb80a9710
>tevent: Running timer event 0x7facb80a8de0 "composite_trigger"
>tevent: Destroying timer event 0x7facb80a9710 "composite_trigger"
>Mapped to DCERPC endpoint \pipe\lsarpc
>added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
>netmask=255.255.255.0
>added interface eth0 ip=10.130.82.68 bcast=10.130.82.255
>netmask=255.255.255.0
>tevent: Ending timer event 0x7facb80a8de0 "composite_trigger"
>tevent: Added timed event "connect_multi_timer": 0x7facb81bf0e0
>tevent: Schedule immediate event "tevent_req_trigger": 0x7facb81bfa10
>tevent: Run immediate event "tevent_req_trigger": 0x7facb81bfa10
>tevent: Destroying timer event 0x7facb81bf0e0 "connect_multi_timer"
>Socket options:
>        SO_KEEPALIVE = 0
>        SO_REUSEADDR = 0
>        SO_BROADCAST = 0
>        TCP_NODELAY = 1
>        TCP_KEEPCNT = 9
>        TCP_KEEPIDLE = 7200
>        TCP_KEEPINTVL = 75
>        IPTOS_LOWDELAY = 0
>        IPTOS_THROUGHPUT = 0
>        SO_REUSEPORT = 0
>        SO_SNDBUF = 169160
>        SO_RCVBUF = 87380
>        SO_SNDLOWAT = 1
>        SO_RCVLOWAT = 1
>        SO_SNDTIMEO = 0
>        SO_RCVTIMEO = 0
>        TCP_QUICKACK = 1
>        TCP_DEFER_ACCEPT = 0
>tevent: Added timed event "tevent_req_timedout": 0x7facb814b930
>tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Run immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Destroying timer event 0x7facb814b930 "tevent_req_timedout"
>Starting GENSEC mechanism spnego
>Starting GENSEC submechanism gssapi_krb5
>Ticket in credentials cache for admin at UNIX will expire in 31325 secs
>tevent: Added timed event "tevent_req_timedout": 0x7facb82715b0
>tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Run immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Destroying timer event 0x7facb82715b0 "tevent_req_timedout"
>gensec_gssapi: NO credentials were delegated
>GSSAPI Connection will be cryptographically sealed
>tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
>tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Run immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
>tevent: Added timed event "tevent_req_timedout": 0x7facb814c340
>tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Run immediate event "tevent_queue_immediate_trigger":
>0x7facb8156ab0
>tevent: Destroying timer event 0x7facb814c340 "tevent_req_timedout"
>tevent: Destroying timer event 0x7facb82e9d30
>"dcerpc_connect_timeout_handler"
^^ stopped just short of authenticating to smbd prior to ask it for
informational policy about the domain.

This means there is some problem in what smbd thinks about your
admin at UNIX account.

Can you do following:

# for i in /var/log/samba/log.* ; do echo > $i ; done
# smbcontrol all debug 100
# kinit admin at UNIX
# ipa trust-add sbx.local ....
# smbcontrol all debug 1

now archive logs in /var/log/samba/log.* and send them to me privately.

-- 
/ Alexander Bokovoy